Also observed we were continously scanned with the vulnerability (random "jndi:ldap" in requests) from diverse IPs, some from China But I take advantage of `ast` to build the syntax tree, then stroll it and compare every single AST object to your white list to help you only use numbers and https://prohactive.com
